| Author | Messages | |
DamianCrosby
Posts:25
 | | 08/06/2010 4:00 PM |
| Hi
Broad question for the group
The debate between using OU v Security Group Filtering when thinking about policy application and processing is a trade off which is hard to measure. Policy evaluation is done on the containers on the DN so as long as the hierarchy is shallow the work in terms of evaluation and processing is equitable. The real overhead is incurred in the policy design itself and how they are built out. Does anyone have any passionate thoughts on wether to ue a general OU design (say computers) and filter GPO on security groups to get the incremental type settings (virtual machines as a subset of computers) or alternatively use a structured OU model to get better control?
I considered does this OU need to be created so a unique Group Policy Object (GPO) can be applied to it? does a particular group of administrators need to have permissions to the objects in this OU? will this new OU make it easier to administer the objects within it? when looking at the design model...
Thoughts?
Thanks.
Damian.
--------------------------------------------------------------------------
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
| | | |
| KevinWornell
Posts:29
| | 08/06/2010 4:01 PM |
| Damian,
One other thing to consider when using Groups versus OUs to control policy application is the need for a reboot of the target machines to pick up any groups changes. This sounds trivial but can be very important in the overall scheme. We used Groups as the main method for policy application and are finding that with the same number of policies being applied that the OU structure is a bit faster. Microsoft has explained this as being caused by the need to reevaluate group membership on every policy refresh to ensure the policy still applies to the target.
It also gets us out of needing a reboot to pick up group membership change.
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx] On Behalf Of Crosby, Damian
Sent: Thursday, June 03, 2010 8:28 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Security Group Filtering v Structured OU Design
Hi
Broad question for the group
The debate between using OU v Security Group Filtering when thinking about policy application and processing is a trade off which is hard to measure. Policy evaluation is done on the containers on the DN so as long as the hierarchy is shallow the work in terms of evaluation and processing is equitable. The real overhead is incurred in the policy design itself and how they are built out. Does anyone have any passionate thoughts on wether to ue a general OU design (say computers) and filter GPO on security groups to get the incremental type settings (virtual machines as a subset of computers) or alternatively use a structured OU model to get better control?
I considered does this OU need to be created so a unique Group Policy Object (GPO) can be applied to it? does a particular group of administrators need to have permissions to the objects in this OU? will this new OU make it easier to administer the objects within it? when looking at the design model...
Thoughts?
Thanks.
Damian.
________________________________
NOTICE: If received in error, please destroy, and notify sender. Sender does not intend to waive confidentiality or privilege. Use of this email is prohibited when received in error. We may monitor and store emails to the extent permitted by applicable law.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been prepared for the sole and exclusive use of the intended recipient and on the basis agreed with that person. If you are not the intended recipient of the message (or authorized to receive it for the intended recipient), you should notify us immediately; you should delete it from your system and may not disclose its contents to anyone else.
This e-mail has come to you from Towers Watson Delaware Inc.
| | | |
| Syspro
Posts:0
| | 08/06/2010 4:03 PM |
| Damian,
I would hate to disagree with Darren, but I would lean the other way and
tend to use more security settings and less OU structure.
That is not to say that I wouldn't use OU structures, but I wouldn't create
an OU of "Administrators" for instance, but just use security filtering.
Potentially you may have to create many OU's for administrators that live in
different OU's. Then you have to check that the GPO is linked into the
correct OU's.
The problem with using OU's is that the number of OU's required can grow
exponentially. For instance if you have 10 different settings that you want
to enforce, you potentially need 2 to the 10 OU's (1024) to cover every
combination. Whereas you can achieve the same functionality by managing 10
groups and use security filtering.
I think the secret is to keep it simple and have groups that clearly
indicate there purpose. By way of example, say you have 20 OU's that define
your structure and someone says "we have a requirement that some people do
not want their screens to lock". Rather than create 20 new OU's each with
"No_Screen_Lock" in the name, you just create a group called
GrpPolicy_No_Screen_Lock, and create a GPO linked at the domain level.
Provided you have a good naming convention you can easily see the special
policies that the user/machine gets by checking the group membership for
groups starting with GrpPolicy. It also has the advantage that you can
delegate control of the group to a single person who has procedures for
adding/removing/reviewing membership of the group.
I would design the OU structure based around security delegation, use it for
Group policy management where feasible, then use security filtering for
things that cut across the delegation structure.
Of course I would tend to use the OU structure if the user requirement
applied only to one existing OU. i.e. if the problem was '"we have a
requirement that some people in the Finance OU do not want their screens to
lock".
Alan Cuthbertson
Policy Management Software (Now with ADMX and Preference support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=pol_summary.shtml>
&f=pol_summary.shtml
ADM Template Editor(Now with ADMX support):-
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=adm_summary.shtml>
&f=adm_summary.shtml
Policy Log Reporter - including Preference logging(Free)
http://www.sysprosoft.com/index.php?ref=activedir
<http://www.sysprosoft.com/index.php?ref=activedir&f=policyreporter.shtml>
&f=policyreporter.shtml
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Darren Mar-Elia
Sent: Friday, 4 June 2010 12:33 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Security Group Filtering v Structured OU Design
Damian-
I would add on to what Kevin has said by saying that the practical
implications of managing via security group filter in large, complex
environments, quickly outstrips their benefit. There something to be said
for "What you see is what you get", especially as things get complex. And,
when you look at a given OU structure, with lots of GPOs linked, and can't
immediately tell which computers or users are going to get which policies,
it quickly increases the time you have to spend analyzing that (or
troubleshooting it if something goes wrong). That being said, there is a
point at which you can get silly with OUs. I've been working the problem
around managing policy for VDI lately, and I can tell you that the existing
policy structure I'm working with, with lots of security filters and
domain-level enforced GPOs, is forcing me to have to segregate the VDI
systems into their own OU, block inheritance and implement loopback. In
general I would recommend using security filters on an exception basis only,
rather than as a design point.
Kevin, as to your group membership reboot requirement, if you haven't
already checked this out:
http://sdmsoftware.com/blog/2008/08/22/picking-up-computer-group-membership-
changes-without-a-reboot/, it might help.
Darren
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Wornell, Kevin (Dallas)
Sent: Thursday, June 03, 2010 7:15 AM
To: xxxxxxxxxxxxxxxx
Subject: RE: [gptalk] Security Group Filtering v Structured OU Design
Damian,
One other thing to consider when using Groups versus OUs to control policy
application is the need for a reboot of the target machines to pick up any
groups changes. This sounds trivial but can be very important in the
overall scheme. We used Groups as the main method for policy application
and are finding that with the same number of policies being applied that the
OU structure is a bit faster. Microsoft has explained this as being caused
by the need to reevaluate group membership on every policy refresh to ensure
the policy still applies to the target.
It also gets us out of needing a reboot to pick up group membership change.
Kevin
Kevin Wornell
Sr. Technical Engineer
Towers Watson
Suite 4100, 500 N. Akard Street | Dallas, TX, 75201
Phone: 214.530.4057 | Fax: 214.988.5711
xxxxxxxxxxxxxxxx
www.towerswatson.com
From: xxxxxxxxxxxxxxxx [mailto:xxxxxxxxxxxxxxxx]
On Behalf Of Crosby, Damian
Sent: Thursday, June 03, 2010 8:28 AM
To: xxxxxxxxxxxxxxxx
Subject: [gptalk] Security Group Filtering v Structured OU Design
Hi
Broad question for the group
The debate between using OU v Security Group Filtering when thinking about
policy application and processing is a trade off which is hard to measure.
Policy evaluation is done on the containers on the DN so as long as the
hierarchy is shallow the work in terms of evaluation and processing is
equitable. The real overhead is incurred in the policy design itself and how
they are built out. Does anyone have any passionate thoughts on wether to ue
a general OU design (say computers) and filter GPO on security groups to get
the incremental type settings (virtual machines as a subset of computers) or
alternatively use a structured OU model to get better control?
I considered does this OU need to be created so a unique Group Policy
Object (GPO) can be applied to it? does a particular group of
administrators need to have permissions to the objects in this OU? will
this new OU make it easier to administer the objects within it? when looking
at the design model...
Thoughts?
Thanks.
Damian.
_____
NOTICE: If received in error, please destroy, and notify sender. Sender does
not intend to waive confidentiality or privilege. Use of this email is
prohibited when received in error. We may monitor and store emails to the
extent permitted by applicable law.
Notice of Confidentiality
This transmission contains information that may be confidential. It has been
prepared for the sole and exclusive use of the intended recipient and on the
basis agreed with that person. If you are not the intended recipient of the
message (or authorized to receive it for the intended recipient), you should
notify us immediately; you should delete it from your system and may not
disclose its contents to anyone else.
This e-mail has come to you from Towers Watson Delaware Inc.
| | | |
|
|